How you would apply the FIPS 199 security categorizations to decide if each of the information security risk mitigations (“safeguards”) described in the FGDC guidelines is needed?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
The Federal Information Processing Standards (FIPS 199) identifies three security categories known as the CIA triad being Confidentiality, Integrity, and Availability. Each category represents a potential impact on an organization or individual(s); the rankings or levels of potential impact are expressed as “low”, “moderate”, or “high”, and “non-applicable” only if considering information type. In other worlds, the generalized format expressing the security category of an information type is: SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}. If the data needs to be safe-gauged, there are two options available based on the FGDC guidelines: changing or restricting the data. If I had to apply the FIPS 199 security categorizations to decide if each of the safeguards described in the FGDc guidelines are needed, I would first create a matrix to help me identify where my organization has a moderate or high potential impact keeping in mind the three security categories. I also found the decision tree to be very helpful in determining what steps to take next; I would follow the steps outlined by the decision tree based on my risk analysis on the CIA triad and impact levels.
Risk mitigation can be done by considering the potential impact as low/moderate/high if the loss of CIA could be expected to have limited/serious/severe or catastrophic adverse effect on organizational operations, assets or individuals. FGDC stresses more the confidentiality aspect. It focuses more on safeguarding the sensitive data involved. In both cases, organizations are advised to ensure that they have the authority to safeguard the data.
The security categories are based on the potential impact on an organization should certain events occur which jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals. Security categories are to be used in conjunction with vulnerability and threat information in assessing the risk to an organization.
The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, or individuals.
Federal Information Processing System (FIPS) Standards are developed to standardize data and processes among federal agencies. Their goal is to gain efficiency and economy through widespread use. These standards are generally mandated for use by federal agencies.
The main purpose of FGDC standards are to reducing duplication, reducing the expense of data collection, and increasing the sharing of available data. Risk mitigation can be achieved by combining these two federal standard frameworks.
References:
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf
Hi Shubham,
I also believe combining FIPS standards with the FGDC guidelines is the right move for security risk mitigations. Do you mind further evaluating how you would use / apply the resources? I also found a gap in the FGDC guidelines that is not addressed by this question. The FGDC guidelines are set up in a way that is only practical for organizations that already have procedures in place for handling sensitive information. Additionally, the guidelines take for granted that some organizations may not have executive and management officials to conduct the tasks recommended, fail to address necessary internal procedures, and how to financially support these decisions.
The FIPS 199 security categorizations are confidentiality, integrity, and availability. To determine if risk mitigations are necessary, one must look at the potential impact. If the impact is low, then safeguards may not be needed. If the impact is moderate or high, though, then safeguards should definitely be implemented.